1. Technical Field
This disclosure relates generally to protecting resources in a virtualized networking environment.
2. Background of the Related Art
An emerging information technology (IT) delivery model is cloud computing, by which shared resources, software and information are provided over the Internet to computers and other devices on-demand. Cloud computing can significantly reduce IT costs and complexities while improving workload optimization and service delivery. With this approach, an application instance can be hosted and made available from Internet-based resources that are accessible through a conventional Web browser over HTTP. An example application might be one that provides a common set of messaging functions, such as email, calendaring, contact management, and instant messaging. A user would then access the service directly over the Internet. Using this service, an enterprise would place its email, calendar and/or collaboration infrastructure in the cloud, and an end user would use an appropriate client to access his or her email, or perform a calendar operation.
Cloud compute resources are typically housed in large server farms that run networked applications, typically using a virtualized architecture wherein applications run inside virtual servers, or so-called “virtual machines” (VMs), that are mapped onto physical servers in a data center facility. The virtual machines typically run on top of a hypervisor, which is a control program that allocates physical resources to the virtual machines.
Virtualization offers significant benefits to the IT organization, but existing security solutions are not optimized to work in the virtual environment. Traditional security processes and technologies cannot effectively protect the additional layers, including the hypervisor, management stack and virtual network. As a result, virtualized servers may be less secure than the physical servers they replace, leaving organizations at risk of malicious attacks and failure to meet compliance mandates. To address these issues, it is known in the prior art to provide virtual server protection technologies, such as IBM® Security Virtual Server Protection for VMware®, to provide an integrated threat mitigation solution designed to enable organizations to exploit fully the benefits of server virtualization while protecting critical virtualized assets. Such technologies provide a set of security features, such as transparent intrusion protection service (IPS), VM automatic discovery, VM rootkit detection, inter-VM traffic analysis, virtual network access control, virtual infrastructure auditing, virtual patching, and the like.
To provide network security in virtualization environment, there is a need to inspect traffic on the virtual network. There are many ways of inspecting the traffic between virtual machines, including using the interface provided by the hypervisor to extract packets from each VM directly, redirecting the traffic to a virtual appliance running separate packet processing services, and installing and executing an agent on each VM dedicated to this function. Regardless of which approach is used, it is desirable to avoid inspecting the same packet multiple times, as doing so may confuse the security module and/or itself trigger some security event. This “multiple inspection avoidance” (MIA) problem is known, and virtual server protection technologies such as described above may include configuration options to address them.
The concept of “protection scope” refers to a list of Internet Protocol (IP) addresses of every VM running on a hypervisor in a virtual network environment. IP addresses typically are in a known format, such as single IP address, IP address range, and IP in CIDR block notation. To ensure adequate security, IT or cloud administrators have a need to construct the protection scope associated with a hypervisor or other cloud resource to enable virtual server or network protection technologies (such as transparent IPS) to know which VM should be protected. Moreover, the IPS service needs to understand protection scope to provide other types of services, such as multiple inspection avoidance (MIA).
Typically, administrators use manual techniques to collect and manage the protection scope. This has proved challenging due for several reasons. First, due to the use of P2V (physical-to-virtual) technologies, it has become very easy to convert a physical machine to a virtual machine. Such VMs, however, may be added from different departments or locations, and thus the administrator (to maintain the accuracy of the protection scope) is forced to specify IP addresses one by one, which is difficult to do consistently. Another problem is that new VMs often come on-line (or are started from inventory) dynamically, thus requiring the protection scope to be modified continuously to ensure it is correct for a current network configuration. Another problem is that IP addresses associated with a VM can be circumvented (e.g., by sending a packet with a fake IP address to bypass inspection).
If the protection scope is not accurate, some traffic is not inspected correctly and thus some of the VMs will not be protected. Moreover, if the protection scope is malformed or otherwise stale, there may be security breaches in the environment.